2009/11/25 Vincent Hoffman <vi...@unsane.co.uk> > krad wrote: > > 2009/11/24 Brian McCann <bjmcc...@gmail.com> > > > > > >> I'm at the end of my rope here with PF. I have a ruleset loaded, that > >> is long and complicated...but I've shortened to to a "pass all" rule. > >> The box has 4 interfaces, one for pfsync, one for me to connect to it, > >> and two bridged interfaces. The only traffic on the bridged > >> interfaces is STP and IP multicast traffic from my EIGRP routers. > >> When I run "pfctl -s rules -v", the EIGRP multicast traffic never hits > >> any rules...yet it's allowed. > >> > >> I'm on FreeBSD 7.1. > >> > >> Has anyone else come across this before? I'm ready to throw out > >> FreeBSD 7.1 and try OpenBSD for pf use...which would be a shame since > >> I use FreeBSD for all my other servers, and having 2 OpenBSD boxes > >> would just be... weird... > >> > >> --Brian > >> > > Have you read the if_bridge(4) manpage? I'd reccommend starting at the > heading "PACKET FILTERING" and checking you have the correct sysctl > settings. > pf certainly can filter bridge interfaces according to the manpage. That > said I've never tried it. > > > Vince > >> -- > >> _-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_-=-_ > >> Brian McCann > >> > >> "I don't have to take this abuse from you -- I've got hundreds of > >> people waiting to abuse me." > >> -- Bill Murray, "Ghostbusters" > >> _______________________________________________ > >> freebsd-questions@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >> To unsubscribe, send any mail to " > >> freebsd-questions-unsubscr...@freebsd.org" > >> > >> > > > > pf works at layer3 (ip) bridging works at layer 2 (ethernet/datalink) > > therefore the traffic probably never get to the upper layer of the ip > stack > > where pf works. > > > > You can do l2 filtering with ipfw if you enable the sysctl variable > > net.link.bridge.ipfw=1. However im not sure if you can do it with pf on > > freebsd. I had a quick scout through the man pages and cant see anything. > > However im fairly sure you can to l2 stuff with pf in openbsd. > > > > As your traffic is multicast you could always configure you bsd box as a > > multicast router rather than bridging the traffic. pf should see the > traffic > > then as your working at l3 and above > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > > > > i think this is the one you want
echo net.link.bridge.pfil_bridge=1 >> /etc/sysctl.conf /etc/rc.d/sysctl restart _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
